How Twitter secured accounts after user credentials were sold online

Rumors of a Twitter breach started circulating yesterday afternoon, fittingly, on Twitter . Security researchers cautioned users to change their passwords and enable two-factor authentication, a feature that requires a user to verify their identity at login with a pincode sent to a trusted device.

But the rumors were wrong — at least partially. Although millions of Twitter handles and passwords were popping up for sale on the dark web, Twitter hadn’t suffered a breach. LeakedSource, a site that posted the data, speculated that the login credentials were harvested using malware, a plausible theory supported by Twitter’s own security team.

“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both,” Twitter trust and information security officer Michael Coates wrote in a blog post about the incident.

Twitter moved relatively quickly to secure its users’ accounts — the social media platform forced all users whose information was leaked to reset their passwords today.

In an interview with Wired, one of the hackers selling users’ login information said that he or she had initially offered the data privately to spammers and others targeting specific individuals’ accounts before putting it up for public sale. The individual told Wired that the LinkedIn data alone sold for roughly $20,000.

Coates says Twitter has been examining the stolen data from other sites and cross-checking it with Twitter’s own records to determine which accounts may be vulnerable and securing them with extra protection, including forced password resets.

“Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites.If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account,” Coates wrote.

Coates also noted that some of the passwords supposedly linked to Twitter accounts are not valid. Some hackers “bundle old breached data or repackage accounts from a variety of breaches, and then claim they have login information and passwords for website Z,” he explained.